[Opendnssec-develop] Creating keys

John Dickinson jad at jadickinson.co.uk
Mon Dec 1 13:50:48 UTC 2008

On 30 Nov 2008, at 14:46, Olaf Kolkman wrote:

> On Nov 28, 2008, at 5:47 PM, Stephen.Morris at nominet.org.uk wrote:
>> Olaf Kolkman <olaf at NLnetLabs.nl> wrote on 27/11/2008 16:01:26:
>>> On Nov 27, 2008, at 4:54 PM, John Dickinson wrote:
>>>> So I guess if you have a large zone like co.uk then a couple of
>>>> seconds in the 6 odd minutes that it would take to sign from  
>>>> scratch
>>>> is nothing. However, if you have 1000's of small zones or you are
>>>> dynamically updating every minute then it could make a big  
>>>> difference.
>>> But even then... the key-rollover would take place only once per  
>>> month
>>> or so. So this 2 second pain per zone only happens once or twice per
>>> month.
>> In this approach, are there any problems in ensuring that the keys  
>> are
>> replicated to a backup HSM before they are used?  Do you need any  
>> type of
>> "master" password to export private keys from the HSM?
> And again, here I can see a many zones using one private key. With  
> that possibility a number of these questions do not pop up. One  
> private key (with many public key instances) that is used for many  
> zones. One single generation, one single backup an al this magic.
> Not that one priv-key to many zones excludes many-to-many.

If you share keys do you need to coordinate key roll overs? For  
example, what about if you have 10 zones all sharing a key. Can you  
then add an 11th? It will have a different timeline for key rollovers.  
For starters the key publication and ready dates will be different,  
this means that the predicted key retire and dead times will be  
different. I guess you could sync them by retiring the key early in  
zone 11. Does rollover need to be done for all zones at the same time?


More information about the Opendnssec-develop mailing list